North Korean state-sponsored hackers have begun using a newly identified macOS malware family dubbed “NimDoor” to infiltrate Web3 and cryptocurrency businesses, according to research published by SentinelOne on 2 July. The attackers impersonate trusted contacts over Telegram, schedule bogus Zoom calls through Calendly and then send victims an email that urges them to run a fraudulent “Zoom SDK update.” The multi-stage payload combines AppleScript, Bash, C++ and binaries compiled in the rarely used Nim programming language, allowing it to bypass many of Apple’s built-in defenses. Once installed, NimDoor injects itself into system processes, establishes encrypted WebSocket connections to command-and-control servers and harvests crypto-wallet data, Keychain credentials, browser histories and Telegram databases. Researchers say the malware’s most notable feature is a signal-based persistence mechanism: if a user or security tool attempts to terminate the process, custom SIGINT and SIGTERM handlers reinstall the core components and recreate launch agents, making the intrusion difficult to eradicate. The campaign underscores a broader escalation in North Korean targeting of macOS; separate security firms have also tracked related Poseidon- and Odyssey-branded stealers distributed through similar social-engineering tactics. Cyber-intelligence analyst ZachXBT estimates that North Korean IT operatives posing as developers have already funneled more than US$16.5 million through U.S. exchanges this year, suggesting the regime is coupling direct malware theft with insider access to fund its sanctions-hit economy. Security specialists advise crypto firms to verify software updates out-of-band, restrict AppleScript execution and monitor for anomalous launch agents and WebSocket traffic.